All https, all the time

This weekend, inspired by Tim Bray’s recent post Private By Default, I changed my website
willnorris.com to serve all traffic using HTTPS. At least for the time being (read: until I find something I’ve
terribly broken), all non-HTTPS traffic will be redirected to the secure version of the site.

I’ve had HTTPS support enabled on my site for about a year, primarily for ensuring that my own credentials were secure
when logging into the WordPress admin section of the site. You could always manually browse to the secure version of
any page if you manually typed in the ‘https’, I just never really advertised it. Now this site is all HTTPS, all the
time.

Why

Tim has an excellent list of reasons why privacy should be the default, but it was his first point that really
resonated with me:

This blog isn’t terribly controversial. But if only the “controversial” stuff is private, then privacy is itself
suspicious. Thus, privacy should be on by default.

In a free society, one shouldn’t have to justify their right to privacy. Our view on privacy has gotten so mixed up
that “Well, what have you got to hide?” is accepted as an almost reasonable question. As Bruce Schneier puts it so
eloquently in his essay The Eternal Value of Privacy,

A future in which privacy would face constant assault was so alien to the framers of the Constitution that it never
occurred to them to call out privacy as an explicit right. Privacy was inherent to the nobility of their being and
their cause […] It’s intrinsic to the concept of liberty.

So why make communication with this little site private? Because I can; it’s the one small part of the Internet that I
do have complete control of. It doesn’t protect my privacy in any way… my site is accessible by anyone. But it
does help protect your privacy, as anyone listening in on your Internet traffic won’t know what you’re looking at.
And more importantly, it helps combat the notion that privacy is reserved for controversial stuff.

One of the things I’ve really appreciated about Indie Web Camp is its focus on builders, people actively working
to further the principles of owning one’s own identity and content online. While there is certainly effort spent on
making these solutions usable for a non-technical audience, the first step must be to get things working on our own
sites. If, like Tim Bray, I believe that the web should be private by default, then I first have to make my own site
private by default.

Flipping the Switch

There’s basically three steps to having a secure website: finding a web host in your budget that will support HTTPS,
getting an SSL certificate, and configuring your site to use HTTPS.

Until relatively recently, you effectively needed a private IP address to run a secure website. And for the last year,
I’ve been doing just that by running my site from a virtual private server at Joyent, and it’s a much more expensive
hosting option. However, client support for Server Name Indication, which allows multiple secure sites to share an
IP address, is now at a point that shared hosting providers are beginning to support secure sites for reasonable prices.
This weekend, I moved my site to the new TextDrive, which easily supports SNI on their shared hosting accounts at no
additional cost.

As for the SSL certificate itself, Tim recommends a few sources in his article. Personally, I use a certificate from
Gandi, which is also where I register my domains. Certificates are free for the first year when you register or
transfer your domain there, and then $16 a year thereafter. A far cry from the $100+ certificates used to cost. There
are of course free options as well, though in my experience (particularly with StartSSL), their sites tend to be much
harder to navigate and understand.

Finally, Apache and WordPress make it very easy to use SSL. Within WordPress, you can simply set your site URL to
include ‘https’ at the beginning, and all generated URLs will be secure. Unlike Tim, I additionally chose to redirect
all HTTP traffic to HTTPS. I did this with a simple rewrite rule in my .htaccess file:

We’re finally at the point that it’s not prohibitively expensive to run a secure website. A certificate costs about the
same as a domain registration, and web hosting companies are beginning to support SNI. There are still non-trivial
technical hurdles to get over, and perhaps more importantly, education as to why “privacy by default” on the web
matters. But it’s now at least possible.